Systems and methods for a virtual fraud sandbox

ABSTRACT

A financial institution computing system associated with a financial institution includes a network interface configured to communicate data over a network, and a processing circuit comprising a memory and a processor. The memory has instructions stored thereon that cause the processor to receive, by the network interface, a content request from a user computing device associated with a user, the content request requesting content from a network destination, determine if the network destination is associated with a trusted entity, determine that the requested content prompts the user to input sensitive information, and transmit, by the network interface substitution content to the user computing device responsive to determining that the network destination is illegitimate and to determining that the requested content includes at least one field into which the user may input sensitive information, the substitution content including at least one prompt requesting the user to input sensitive information.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.16/589,748, titled “SYSTEMS AND METHODS FOR A VIRTUAL FRAUD SANDBOX,”filed on Oct. 1, 2019, which is a continuation of U.S. patentapplication Ser. No. 15/498,331, titled “SYSTEMS AND METHODS FOR AGENERATED FRAUD SANDBOX,” filed on Apr. 26, 2017, now U.S. Pat. No.10,474,836 issued Nov. 12, 2019, the entireties of which areincorporated herein by reference.

BACKGROUND

There are many potential traps for the unwary on the internet. Forexample, various fraudulent schemes exist that are designed to extractvaluable, sensitive information from users. For example, so called“phishing expeditions” involve a user receiving an illegitimate e-mailmessage that is arranged to pass itself off as a message from alegitimate entity (e.g., a merchant, financial institution, governmententity). Such e-mails may lure individuals into clicking a hyperlink orthe like to an illegitimate website. The website may request privateinformation from the user. If the user enters the requested information,such information may be used in ways that are quite harmful to the user(e.g., opening up a fraudulent bank account). Thus, it would bebeneficial to prevent such information from being provided to fictitiousentities and to educate users to avoid such occurrences.

SUMMARY

One embodiment relates to a financial institution computing systemassociated with a financial institution. The financial institutioncomputing system includes a network interface configured to communicatedata over a network. The financial institution computing system alsoincludes a network database configured to store information pertainingto a plurality of legitimate network destinations associated with aplurality of trusted entities and a plurality of fraudulent networkdestinations. The financial institution computing system also includes aprocessing circuit comprising a memory and a processor, the memorystructured to store instructions that are executable by the processor tocause the processor to receive, by the network interface, a contentrequest from a user computing device associated with a user, the contentrequest requesting content from a network destination not associatedwith the financial institution. The instructions also cause theprocessor to determine if the network destination is associated with atrusted entity based on the information stored in the network database.The instructions also cause the processor to determine that therequested content includes at least one field into which the user mayinput sensitive information. The instructions also cause the processorto transmit, by the network interface, substitution content to the usercomputing device responsive to determining that the network destinationis not associated with a trusted entity and to determining that therequested content includes at least one field into which the user mayinput sensitive information, the substitution content including at leastone prompt requesting the user to input sensitive information. Theinstructions also cause the processor to receive, by the networkinterface, a user input, the user input containing sensitive informationregarding the user. The instructions also cause the processor totransmit, by the network interface, a modified input to the networkdestination, the modified input comprising undecipherable information.The instructions also cause the processor to transmit, by the networkinterface, an alert to the user computing device, the alert informingthe user that the network destination from which the content wasrequested is illegitimate.

Another embodiment relates to a computer-implemented method. The methodincludes receiving, by a financial institution computing systemassociated with a financial institution, a content request from a usercomputing device associated with a user, the content request requestingcontent from a network destination not associated with the financialinstitution. The method also includes determining, by the financialinstitution computing system, if the network destination is associatedwith a trusted entity based on information stored at a networkdestination database associated with the financial institution computingsystem. The method also includes determining, by the financialinstitution computing system, that the requested content includes atleast one field into which the user may input sensitive information. Themethod also includes transmitting, by the financial institutioncomputing system, substitution content to the user computing deviceresponsive to determining that the network destination is not associatedwith a trusted entity and to determining that the requested contentincludes at least one field into which the user may input sensitiveinformation, the substitution content including at least one promptrequesting the user to input sensitive information. The method alsoincludes receiving, by the financial institution computing system, auser input, the user input containing sensitive information regardingthe user. The method also includes transmitting, by the financialinstitution computing system, a modified input to the networkdestination, the modified input comprising undecipherable information.The method also includes transmitting, by the financial institutioncomputing system, an alert to the user computing device, the alertinforming the user that the network destination from which the contentwas requested is illegitimate.

Another embodiment relates to a non-transitory computer readable mediahaving computer-executable instructions embodied therein that, whenexecuted by a processor of a financial institution computing systemassociated with a financial institution, cause the processor to performvarious operations. The operations include receiving a content requestfrom a user computing device associated with a user, the content requestrequesting content from a network destination not associated with thefinancial institution. The operations further include determining if thenetwork destination is associated with a trusted entity based oninformation stored at a network destination database associated with thefinancial institution computing system. The operations further includedetermining that the requested content includes at least one field intowhich the user may input sensitive information. The operations furtherinclude transmitting substitution content to the user computing deviceresponsive to determining that the network destination is not associatedwith a trusted entity and to determining that the requested contentincludes at least one field into which the user may input sensitiveinformation, the substitution content including at least one promptrequesting the user to input sensitive information. The operationsfurther include receiving a user input from the user computing device,the user input containing sensitive information regarding the user. Theoperations further include transmitting a modified input to the networkdestination, the modified input comprising undecipherable information.The operations further include transmitting an alert to the usercomputing device, the alert informing the user that the networkdestination from which the content was requested is illegitimate.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of an information protection system, accordingto an example embodiment.

FIG. 2 is a flow diagram of a method of verifying the authenticity of arequest for sensitive user information, according to an exampleembodiment.

FIG. 3 is a flow diagram of a method of facilitating the user providingsensitive user information to a trusted entity, according to an exampleembodiment.

FIG. 4 is a flow diagram of a method of preventing the user fromproviding sensitive user information to an untrusted entity, accordingto an example embodiment.

DETAILED DESCRIPTION

Referring generally to the figures, various systems, methods, andapparatuses for preventing the transmittal of sensitive user informationto untrusted entities through an information protection system aredescribed herein. More particularly, systems and methods for preventingthe communication of sensitive user information via a virtual sandboxare described herein.

In various example embodiments, a separate computing system acts as aproxy or intermediary for the user when the user requests informationfrom various other entities over a network via a user computing device.For example, if a user selects a hyperlink to a webpage so as toinitiate communications with an external entity, the separate computingsystem performs various actions to verify the legitimacy of the externalentity such as cross-referencing the hyperlink against a list of knownfraudulent hyperlinks stored in a database. Additionally, the separatecomputing system may also determine if the hyperlink leads to a webpagethat requests the user to provide sensitive information. In variousarrangements, if the separate computing system determines that theexternal entity is not a legitimate entity and that the user-requestedcontent involves the transmittal of sensitive user information, theseparate system transmits virtual sandbox content to the user computingdevice. The virtual sandbox content may mimic the requested content andalso request sensitive user information from the user. Upon the user'ssubmittal of sensitive information into the sandbox content, theseparate computing system may encrypt the user-entered information usingan undecipherable key and transmit the encrypted user-enteredinformation to the external entity. The encrypted user-enteredinformation may include a request for the external entity to prove itsidentity to the separate computing system. Additionally, the separatecomputing system may transmit an alert to the user explaining that suchsensitive information should not be entered when communicating with anuntrusted data source. As a result of these steps, the user is preventedfrom providing sensitive information to untrusted entities and iseducated about steps to take to prevent such occurrences in the future.

As used herein, the term “sensitive information” refers to any datadescriptive of any attribute of a user that may potentially be used byany entity. Examples of sensitive information may include, in additionto other things, a user's name, address, phone number, e-mail address,social security number, driver's license number, and payment accountinformation.

As used herein, the term “virtual sandbox content” refers to contentthat serves as a substitute for original content requesting informationfrom a user. Virtual sandbox content may take a variety of forms. Forexample, virtual sandbox content may be in the form of webpages,automated voice messages, text messages, push notifications, e-mailmessages, and the like. As such, virtual sandbox content may alsoinclude modified forms of original content.

The embodiments described herein solve the technical andinternet-centric problem of preventing users from providing sensitiveinformation to untrusted entities. This is done by transmittingencrypted user data to the external entity rather than the actualsensitive information received from the user. Additionally, bytransmitting mimicked content to the user that also requests sensitiveuser information, the systems and methods disclosed herein assembledatasets on user entry of sensitive information. Further, because usersgo through the process of actually entering sensitive information intothe virtual sandbox content prior to receiving an alert, user behavioris accurately monitored and users are better educated to avoidperforming such a process in the future.

Referring now to FIG. 1 , a block diagram of an information protectionsystem 100 is shown, according to an example embodiment. As will bedescribed below, the information protection system 100 prevents a user110 from providing sensitive user information to certain third partyentities 130. The information protection system 100 includes a usercomputing device 112 associated with a user 110, a third party computingsystem 132 associated with a third party 130, and a financialinstitution computing system 142 associated with a financial institution140, whereby these components are communicably coupled to one anotherover the network 160. The network 160 provides communicable andoperative coupling between the user computing device 112, the financialinstitution computing system 142, and other components disclosed anddescribed herein to provide and facilitate the exchange ofcommunications (e.g., data, instructions, messages, values, commands).The network 160 is a data exchange medium, which may include wirelessnetworks (e.g., cellular networks, Bluetooth®, WiFi, Zigbee®), wirednetworks (e.g., Ethernet, DSL, cable, fiber-based), or a combinationthereof. In some arrangements, the network includes the Internet.

The user 110 is an entity (e.g., individual, organization, computingsystem) desiring to access content provided by a third party 130. Forexample, the user 110 may be an individual attempting to access auniform resource locator (URL) associated with a server (e.g., thirdparty computing system 132) associated with a third party 130 via a webbrowser. The third party 130 is an entity (e.g., individual,organization, computing system) providing content that is accessible tothe user 110. For example, the third party 130 sends a hyperlink to theuser 110 via an e-mail message. Accordingly, the third party 130 mayoperate a web server that provides webpages to the user 110 in responseto receiving a user request for content. The third party 130 includestrusted and untrusted entities.

The financial institution 140 is an entity that, in some arrangements,acts as an intermediary in the communications between the user 110 andthe third party 130. For example, if the user 110 transmits a requestfor content from the third party 130, such a request may first berelayed to the financial institution 140 for processing by the methodsdisclosed herein. The financial institution 140 may include commercialor private banks, credit unions, investment brokerages, or the like.While the embodiments illustrated in the figures illustrate theintermediary as a financial institution, it should be understood thatany type of entity or system may serve as the intermediary in accordancewith the systems and methods disclosed herein.

The user computing device 112 is a computing device associated with theuser 110. The user computing device 112 may be any type of computingdevice that may be used to send and receive information over the network160. In this regard, the user computing device 112 may include anywearable or non-wearable device. Wearable devices refer to any type ofdevice that an individual wears including, but not limited to, a watch(e.g., smart watch), glasses (e.g., eye glasses, sunglasses, smartglasses), bracelet (e.g., a smart bracelet), etc. User computing device112 may also include any type of mobile device including, but notlimited to, a phone (e.g., smart phone), tablet, personal digitalassistant, and/or computing devices (e.g., desktop computer, laptopcomputer, personal digital assistant).

In the example embodiment shown, the user computing device 112 includesa network interface 114 enabling the user computing device 112 toexchange information over the network 160, a client application 116, aprotection client 118, and a user input/output (“I/O”) device 120. Theuser I/O device 120 includes hardware and associated logics configuredto enable the user computing device 112 to exchange information with theuser 110. An input device or component of the user I/O device 120 allowsthe user 110 to provide information to the user computing device 112,and may include, for example, a mechanical keyboard, a touchscreen, amicrophone, a camera, a fingerprint scanner, any user input deviceengageable with the user computing device 112 via a USB, serial cable,Ethernet cable, and so on. An output device or component of the user I/Odevice 120 allows the user 110 to receive information from the usercomputing device 112, and may include, for example, a digital display, aspeaker, illuminating icons, LEDs, and so on.

The client application 116 is structured to communicably couple the usercomputing device 112 with various other computing systems via thenetwork 160. In some arrangements, the client application 116constitutes a web browser hard coded into the memory of the usercomputing device 112 including executable instructions that cause usercomputing device 112 to communicate with various backend server systemsvia a communications protocol (e.g., the HTTP protocol). As such, theclient application 116 may present the user with various displaysenabling the user 110 to input a desired network destination from whichto receive content and displays including the received content. Further,the client application 116 may include various fraud prevention modules.For example, the client application 116 may include a list of trustedcertificate authorities as well as a processing algorithm configured todetermine if digital certificates received from various third parties130 were issued by any of the trusted authorities. All known securitymeasures in standard web browsers may be included.

In some arrangements, the client application 116 constitutes anapplication configured to cause the user computing device 112 tocommunicate with a specific computing system over the network 160. Forexample, the client application 116 may include an e-mail applicationwhereby the user 110 is able to view various messages sent to the user110 by various other parties. In such cases, the client application 116may include a widget or the like that enables the user to requestcontent from various third parties 130. For example, a user e-mail mayinclude a hyperlink to a web page provided by a third party 130. Uponselection of the hyperlink by the user 110 the client application 116,similar to a web browser, may transmit a content request to receive theweb page from the third party 130 and, upon receipt of the web page,render the web page viewable from within the client application 116. Theclient application 116 includes any mechanism through which the user 110may request content from a third party 130 over the network 160.

The protection client 118 is structured to communicably couple theclient application 116 to the financial institution computing system142. As such, the protection client 118 may include a plugin to theclient application 116. Alternatively, the client application 116 may bea standalone application on the user computing device 112 and include,for example, an application programming interface (API) or the like thatis configured to facilitate the integration of the protection client 118with the client application 116. In various embodiments, the protectionclient 118 causes the user computing device 112 to redirect any requestsfor content from third parties 130 to the financial institutioncomputing system 142. In other words, the protection client 118 causesthe financial institution computing system 142 to become a proxy serverfor the user computing device 112 whereby the financial institutioncomputing system 142 can perform various operations to prevent certaincontent from being received by the user computing device 112 by themethods described below.

In some arrangements, the protection client 118 performs an initialanalysis on any requests for content made by the user 110. For example,the protection client 118 may include various datasets maintained in anetwork destination database 150 at the financial institution computingsystem 142. As will be described below, such datasets may cataloguevarious network destinations (e.g., domain names, websites, IPaddresses) that are trusted or known to be fraudulent by the financialinstitution 140. In some arrangements, such data may be transmitted tothe user computing device 112 when the protection client 118 isinitially installed by the user 110 on the user computing device 112. Inany event, upon the user 110 providing an input to the clientapplication 116 to request information from a third party computingsystem 132 over the network 160 (e.g., by clicking a hyperlink or byinputting a URL), the protection client 118 is configured to crossreference the content request against the datasets to determine if therequest is for content is from a trusted or fraudulent source. In somearrangements, upon making such a determination, a notification signalindicating the determination may be transmitted to the financialinstitution computing system 142.

In some arrangements, upon determining that the content request is forcontent from a fraudulent third party 130, the protection client 118 maynevertheless request the content via the network 160 and, upon the usercomputing device 112 receiving such content, perform an initial analysison the content to determine if the received content requests sensitiveinformation from the user 110. For example, the protection client 118may parse any received HTML, content to identify any information beingrequested from the user. In response to making such a determination, theprotection client 118 itself may retrieve virtual sandbox content from,for example, a storage unit of the user computing device 112 to presentto the user. In such embodiments, the virtual sandbox content, which maybe similar in form to the content stored in the content database 152described below, may be transmitted to the user computing device 112when the protection client 118 is installed by the user 110. Asdescribed below, the sandbox content may request various forms ofsensitive information from the user 110. Upon the user 110 entering therequested information, the protection client may scramble (e.g.,encrypt) the entered information so as to render it indecipherable andtransmit the scrambled information to the third party computing system132. Further, after performing such a process, the protection client 118may further present an alert to the user 110 notifying the user 110 thatsensitive information was almost transmitted to a fraudulent entity.

In various embodiments, the third party computing system 132 includes abackend server system configured to direct content (e.g., in the form ofwebpages and the like) to various requesting computing devices (e.g.,the user computing device 112 and/or financial institution computingsystem 142). As shown, the third party computing system 132 includes anetwork interface 136 enabling the third party computing system 132 toexchange data over the network 160 and a data exchange circuit 134. Thedata exchange circuit 134 is configured to selectively retrieve contentstored at the third party computing system 132 to fulfill variouscontent requests received from requesting computing devices over thenetwork 160. For example, in some arrangements, when a user 110transmits a content request to the third party computing system 132 viathe user computing device 112, the data exchange circuit 134 establishesa connection with the user computing device 112 via any establishedprotocol (e.g., the TCP/IP protocol). The data exchange circuit 134 mayexchange digital credentials (e.g., digital certificates and encryptionkeys) with the user computing device 112 to establish a securecommunication channel with the user computing device 112 over thenetwork 160. Once the secure communication channel is established, thedata exchange circuit 134 selectively retrieves datasets stored at thethird party computing system 132 either based on the initial contentrequest received from the user computing device 112 (e.g., if theinitial content request contains a file path) or transmits a defaultwebpage (e.g., a homepage) to the user computing device 112. Additional,more specific content requests received from the user computing device112 may be fulfilled (e.g., generated based on user interactions withthe default webpage) via the established secure channel.

The financial institution computing system 142 includes a networkinterface 144 enabling the financial institution computing system 142 toexchange data over the network 160, a communication protection circuit146, a user account database 148, a network destination database 150,and a content database 152.

The user account database 148 is a storage device structured toretrievably store user information relating to the various operationsdiscussed herein, and may include non-transient data storage mediums(e.g., local disc or flash-based hard drives, local network servers) orremote data storage facilities (e.g., cloud servers). The accountdatabase 148 includes personal user information (e.g., names, addresses,phone numbers), identification information (e.g., driver's licensenumbers, standard biometric data), and user financial information (e.g.,token information, account numbers, account balances, available credit,credit history, transaction histories). In some embodiments, the accountdatabase 148 stores any of the previously discussed information as itrelates to the user 110, as the user may hold an account at thefinancial institution 140. In some embodiments, the user database 148includes information regarding a caretaker or guardian of the user 110.For example, the user database may store information regarding acomputing device (similar to the user computing device 112) belonging tothe guardian (e.g., a phone number or IP address). In some embodiments,the guardian is provided control over the third parties 130 to which theuser 110 provides sensitive information. As such, any of the alertsdescribed herein may also be transmitted to the guardian's computingdevice.

The network destination database 150 is structured to retrievably storeinformation pertaining to various third parties 130 and associatedcomputing systems 122. The network destination database 150 may includenon-transient data storage mediums (e.g., local disc or flash-based harddrives, local network servers, and the like) or remote data storagefacilities (e.g., cloud servers). In some arrangements, the networkdestination database 150 stores information regarding various networkdestinations (e.g. a list of particular URLs, server addresses, and/orwebpage attributes) that have been determined to be fraudulent orlegitimate. For example, the communication protection circuit 146 mayaccess any known data sources (e.g., forums, various fraud preventionservices, user reports, and the like) to identify a list of knownfraudulent network destinations. Such a list may be maintained as adataset in the network destination database 150. Additionally, thenetwork destination database 150 may also include a listing of trustednetwork destinations. For example, if a particular third party 130 is acustomer of the financial institution 140, the financial institution 140may include information pertaining to any URLs or file paths associatedwith that particular third party 130.

In some embodiments, the network destination database 150 may also storevarious attributes associated with any known fraudulent content. Forexample, a particular third party 130 engaging in a fraudulent scheme toextract sensitive information from various users 110 may frequentlychange the URL used to perform such a scheme, but deliver similarcontent to various users. Accordingly, upon learning that a particularfraudulent webpage requests sensitive information (e.g., a customer ofthe financial institution 140 may report a fraudulent transactionperformed using stolen account information, and identify the website),the communication protection circuit 146 may access such a web page andextract information describing various aspects of the fraudulentwebpage. The information may describe, for example, the identity of anysensitive information requested from the user 110, the arrangement ofthe various fields into which the user 110 is directed to input thesensitive information, a webpage coloring scheme, the placement of alogo or other graphical element, a title or name of the website, and thelike.

The content database 152 is structured to retrievably store content thatis to be transmitted to the user 110. The content database 152 mayinclude non-transient data storage mediums (e.g., local disc orflash-based hard drives, local network servers, and the like) or remotedata storage facilities (e.g., cloud servers). In various arrangements,the content database 152 includes content that is viewable via theclient application 116 on the user computing device 112. Accordingly, inarrangements where the client application 116 is a web browser, thecontent database 152 may store various webpages that may be transmittedto the user computing device 112 over the network 160. In variousarrangements, the content may be specifically configured as virtualsandbox content. As such, the webpages request various forms ofsensitive information (e.g., addresses, bank account numbers, socialsecurity numbers, and the like) from the user 110. In some arrangements,the content database 152 includes a plurality of pre-generated web pagesincluding varying amounts of information and requesting various amountsof sensitive information from the user 110.

In some arrangements, the content database 152 includes various web-pagetemplates and various graphics that can be used to populate the templateto generate a web-page to be transmitted to the user 110. For example, aparticular webpage may include a first portion including various fieldsthat request various forms of sensitive information from the user 110.The webpage may include additional portions into which various graphicsor messages may be inserted. As such the webpage may be customized tomimic any content received from third party computing systems 132. Forexample, the communication protection circuit 146 may copy a messageincluded in content received from a third party computing system 132 andinsert the message into a portion of the webpage. Similar procedures maybe followed for various other aspects of the received webpage (e.g.,graphics, color schemes, and the like).

In some arrangements, the content database 152 may include content usedby the communication protection circuit 146 to transmit alerts to theuser 110 or individuals associated with the user 110. For example, inone embodiment, the content database 152 includes various alertwebpages. Each alert webpage may include an alert message. The alertmessage may include content that notifies the user 110 of the dangers ofsharing sensitive user information with unfamiliar entities. Further,the alert messages may include various fields that can be populated withdata pertaining to the particular circumstance of the user 110. Forexample, the message may include a URL field in which a particular URLthat the user 110 attempted to access can be inserted. Similar otherfields may be populated by various other aspects of the web contentrequested by the user 110 such as logos, web-page characteristics (e.g.,coloring schemes, entity names included on the webpage, a fraudindicator of the web-page, and the like). This way, the user 110 may beinformed so as to avoid requesting such content again in the future.

The communication protection circuit 146 is structured to performvarious operations to prevent the user from providing sensitiveinformation to an untrusted third party 130. Accordingly, thecommunication protection circuit 146 is configured to receive anyrequests for content from the third parties 130 made by the user 110 byway of the client application 116. For example, when the user 110installs the protection client 118 on the user computing device 112, thecommunication protection circuit 146 may establish a communication nodewith the protection client 118 on user computing device 112 such that,whenever user content requests are transmitted to the financialinstitution computing system 142 by way of the protection client 118,the communication protection circuit 146 initiates a process to performvarious checks before directing the requested content to the user 110.

Initially, the communication protection circuit 146 may perform variouschecks that are similar in nature to those performed by a web browser.For example, the communication protection circuit 146 may establish aconnection with the third party computing system 132, exchange variouskeys, receive digital certificates, and perform various checks on thecertificates to perform an initial check of the authenticity of theassociated third party 130. For example, the communication protectioncircuit 146 may identify a certificate authority that issued any digitalcertificates received from the third party computing system 132 andcross reference the identified authority with a list of known trustedauthorities (e.g., stored in the network destination database 150).Additionally, the communication protection circuit 146 may also checkvarious entries on the certificate (e.g., that the certificate wasactually issued to the URL that the user 110 is attempting to access,and the like) to ascertain the authenticity of the third party 130. Insome embodiments, if the initial checks reveal that the requestedcontent is fraudulent (e.g., if a digital certificate is invalid), theuser 110 may be denied access to the requested content and/or a warningmessage may be transmitted to the user computing device 112.

After performing such initial checks, the communication protectioncircuit 146 may itself transmit a content request to the third partycomputing system 132. Upon receipt of the content, the communicationprotection circuit 146 may parse the content and determine if thereceived content requests any form of sensitive information from theuser 110. For example, the communication protection circuit 146 may runan analysis on the received content to identify any common field namescontained on web pages that request sensitive information. Such fieldnames may identify a piece of sensitive information requested from theuser 110. For example, a particular webpage requesting sensitiveinformation from the user 110 may include a field name “social securitynumber” next to a field into which such information may be entered.Thus, by searching the received content for such field names, thecommunication protection circuit 146 may determine if sensitiveinformation is being requested.

If it is determined that the content requested by the user 110 requestssensitive information from the user 110, additional checks may beperformed on the requested content to ascertain the authenticity of thethird party 130. In some embodiments, the communication protectioncircuit 146 cross references various aspects of the received contentwith content stored in the network destination database 150. Forexample, the communication protection circuit 146 may cross-referencethe URL, IP address, or file path associated with the received contentwith various blacklists and whitelists maintained in the networkdestination database 150. The blacklists may list URLS/addresses/pathsthat have been associated with fraudulent schemes in the past. Such datamay be continuously updated by the communication protection circuit 146based on recent reports of fraudulent schemes. The whitelists mayinclude similar list associated with entities trusted by the financialinstitution 140. For example, the whitelists may include URL'sassociated with entities that are customers of the financial institution140.

In some arrangements, if the communication protection circuit 146 cannotascertain the trustworthiness of the third party 130 via accessing theblacklists or whitelists included in the network destination database150, additional checks may be performed on the received content. Forexample, the communication protection circuit 146 may identify variouscharacteristics contained in the received webpage (e.g., logos, colorschemes, company name placements, placements of other graphics, and thelike). For a particular characteristic, the communication protectioncircuit 146 may run a comparison of the identified characteristic withthat of other web-pages identified as being associated with fraudulententities. For example, if the communication protection circuit 146identifies that a particular webpage includes a particular logo (e.g.,associated with a particular entity or a particular name) at aparticular location, the communication protection circuit 146 may accessthe network destination database 150 and identify other webpagesidentified as being fraudulent that include the same logo (suchinformation may, for example, be contained in lookup tables identifyingvarious logos and identifying the particular logos contained at eachwebpage). If the logo is contained on a fraudulent site, thecommunication protection circuit 146 may compare the identified locationinformation of each of the web pages. If the logo location on thereceived content matches that of the fraudulent webpage, the receivedcontent may be identified as fraudulent. Similar analysis may beperformed for various other characteristics of the received content.

Further, the communication protection circuit 146 may check the receivedcontent for various fraud indicators. Fraud indicators may be attributescommonly associated with fraudulent websites such as misspelled domainnames, mismatches between domain names and webpage titles or companynames contained in the webpage, the absence of a webpage title, certainmessages contained in the received content (e.g., indicating that theuser 110 has won a reward), and the like. Accordingly, the communicationprotection circuit 146 may perform an analysis on the received webcontent to identify any such inconsistencies or other fraud indicators.

In some arrangements, if the received content passes any or all of theabove described fraud checks, the communication protection circuit 146may enable the user access to requested content. In some arrangements,the communication protection circuit 146 relays the received content tothe user computing device 112. Alternatively, the communicationprotection circuit 146 may transmit a legitimacy indication to the usercomputing device 112 which may enable the user computing device 112 totransmit a content request to the third party computing system 112 toreceive the requested content. In such arrangements, if, for example thecommunication protection circuit 146 identified the third party 130 as atrusted entity (e.g., as a customer of the financial institution 140 orthe like), such a legitimacy notification may also cause a notificationto be displayed to the user 110 on the client application 116. Thenotification may be viewable simultaneously with any content receivedfrom the third party computing system 132, and identify the third partyas a trusted entity. Further, the notification may also be configured toreceive a user preference to enter the requested information. Inresponse to receiving such a preference, the communication protectioncircuit 146 may act on the user 110's behalf to provide the requestedinformation to the third party 130. For example, the communicationprotection circuit 146 may retrieve the requested information (e.g., theuser 110's name, address, social security number, payment accountinformation, and the like) and transmit the retrieved content back tothe third party computing system 132, thereby completing anytransactions proposed by the received content. Thus, the user 110 avoidsthe hassle of entering the requested information. Further, because theinformation is automatically populated, user entry errors arebeneficially avoided.

However, if the content received from the third party computing system132 fails any or all of the above tests performed by the communicationprotection circuit 146, the communication protection circuit 146 mayperform various actions to protect sensitive user information. Forexample, the communication protection circuit 146 may selectivelyretrieve virtual sandbox content from the content database 152 fortransmittal to the user. In this regard, the communication protectioncircuit 146 may identify the information requested from the user 110 bythe received content. For example, the communication protection circuit146 may identify various field names included in the received content(e.g., by performing a textual search of the received content forvarious terms such as “SSN,” “account number,” “address,” and the like).Upon identifying the information that is requested, the communicationprotection circuit 146 may identify a webpage or the like stored at thecontent database 152 that requests the same or similar information fromthe user 110. The selection may also be based on other characteristicsof the received content. For example, if the received content has a redbackground, the communication protection circuit 146 may retrieve awebpage also having a red background.

Alternatively, instead of retrieving substitute content from the contentdatabase 152 to deliver to the user 110, the communication protectioncircuit 146 may modify the content received from the third partycomputing system 132. For example, the communication protection circuit146 may place an identifier or a tag on the received web content priorto transmitting the content to the user computing device 112. Such a tagmay not be visible to the user, but may cause the communicationprotection circuit 146, upon re-receiving the content after the user 110enters the requested information, to scramble the user-input informationprior to relaying the content back to the third party computing system132. Similar operations may be performed on any information input by theuser 110 into the virtual sandbox content transmitted to the user 110.This way, the user 110 is prevented from providing sensitive informationto an untrusted entity. Further, by going through the process ofproviding virtual sandbox content to the user 110 and receiving userresponses including sensitive information, the systems and methodsdisclosed herein enable the collection of useful data regarding variousschemes through which wrongdoers seek to collect sensitive information.

Referring now to FIG. 2 , a flow diagram of a method 200 of verifyingthe authenticity of a request for sensitive user information is shown,according to an example embodiment. In various embodiments, the method200 is performed by the components shown in FIG. 1 such that referencemay be made to the components of FIG. 1 to aid the description of themethod 200.

A user request for content from a network destination is received at202. In some arrangements, the user request for content is received bythe network interface 144 of the financial institution computing system142. For example, a user may encounter a hyperlink while accessing awebpage via the client application 116 and select the hyperlink to causethe client application 116 to formulate a request for content from anetwork destination associated with a third party computing system 132.However, the user computing device 112 may have a protection client 118implemented thereon or the client application 116 may be configured suchthat the request is directed to the financial institution computingsystem 142 rather than the third party computing system 132. The requestfor content may include a URL associated with the hyperlink.

Initial security checks are performed on the network destination at 204.In some embodiments, the communication protection circuit 146 performsinitial security checks based on information contained in the receivedcontent request. For example, if the request for content includes a URL,the communication protection circuit 146 may cross-reference the URL orparts thereof (e.g., domain name, file path, and the like) against alist of various known fraudulent URLs or URL components. Further, thecommunication protection circuit 146 may initiate a sequence to retrievea network address (e.g., an IP address) associated with the networkdestination, and cross reference the retrieved address against a list ofaddresses associated with fraudulent actors.

Communications with the network destination are initiated and additionalsecurity checks are performed at 206. In some embodiments, thecommunication protection circuit 146 replicates the request for contentreceived at 202 and transmits the request to the third party computingsystem 132 over the network 150 via the network interface 144. Forexample, the communication protection circuit 146 may establish atransmission control protocol (TCP) connection with the networkdestination and exchange digital certificates with the third partycomputing system 132. The communication protection circuit 146 mayidentify the third party 130 associated with the third party computingsystem 132 based on the received digital certificate, andcross-reference the third party 130 against a list of known fraudulententities stored in the network destination database 150. Additionalchecks may be performed on the digital certificates (e.g., the issuingentity, cross-referencing of the URL listed on the certificate to theURL selected by the user 110, and the like). In various arrangements, ifthese additional security checks are met, encryption keys are exchangedand the content requested by the user 110 is received at the financialinstitution computing system 142.

It is determined if the received content requests sensitive informationfrom the user at 208. In some embodiments, the communication protectioncircuit 146 assesses content received from the third party computingsystem 132 to determine if the received content prompts the user 110 toinput sensitive information. For example, the communication protectioncircuit 146 may perform an analysis on the content received from thethird party computing system 132 to determine if it includes field namesdescribing various forms of sensitive user information. If the receivedcontent otherwise passes the initial security checks and does notrequest sensitive information from the user 110, the content is relayedto the user computing device 112 over the network 160.

It is determined if the network destination is associated with a trustedentity at 210. In some embodiments, the communication protection circuit146 cross references the received content against information stored inthe network destination database 150 to determine the trustworthiness ofthe third party 130. As discussed above, the network destinationdatabase 150 may include a list of URLs, and entity names that aretrusted by the financial institution 140. Accordingly, the communicationprotection circuit 146 may identify the third party 130 associated withthe third party computing system 132 (e.g., based on a digitalcertificate received at 208 from a trusted certificate authority) andcompare the third party 130 with the list of trusted entities containedin the network destination database 150. If the communication protectioncircuit 146 determines that the third party 130 is a trusted entity, themethod 200 may advance to 212 and facilitate completion of a securedcommunication between the user 110 and the third party 130 (shown inFIG. 3 ).

If, however, the third party 130 is not a trusted entity, it isdetermined if the network destination is associated with a fraudulententity at 214. In some embodiments, the communication protection circuit146 cross references the received content against information stored inthe network destination database 150 to determine the trustworthiness ofthe third party 130. In various arrangements, the communicationprotection circuit 146 cross-references the information received fromthe third party computing system 132 with various databases of URLblacklists and fraudulent entity names maintained at the networkdestination database 150. If the communication protection circuit 146determines that the third party 130 is a fraudulent entity, the method200 may advance to 216 and prevent the user from providing sensitiveinformation to the third party 130 (shown in FIG. 4 ).

If the classification of the third party 130 is still unknown after 214,however, additional security checks on the received content may beperformed at 218. In some embodiments, the communication protectioncircuit 146 parses the content received from the third party 130,identifies various characteristics of the contents received from thethird party 130, and assesses the identified characteristics todetermine if any fraud indicators are present. For example, thecommunication protection circuit 146 may compare the domain name in theURL entered by the user 110 with a title of the received webpage.Oftentimes, a mismatch between the two may be an indication that thereceived content is fraudulent. Additionally, the communicationprotection circuit 146 may identify a color scheme of the receivedcontent (e.g., a percentage that bears a particular color) and comparethe color scheme with those of various other webpages that werepreviously determined to be fraudulent. Images contained in the receivedcontent may also be cross-referenced with other aspects of the receivedcontent (e.g., a logo may be cross-referenced with a written corporatename on the webpage). Further, the communication protection circuit 146may further assess the words contained in the received content toidentify the reason why sensitive information is being requested. Forexample, a received webpage may include a descriptive paragraphdescribing a product or service to be provided to the user 110 inexchange for the user 110 inputting sensitive information. Certainkeywords (e.g., “free” or “reward”) in such a paragraph may be fraudindicators.

It is determined if the received content includes any additional fraudindicators at 220. In some embodiments, the communication protectioncircuit 146 assesses additional identified characteristics of thereceived content for additional fraud indicators. For example, if acoloring scheme of the received webpages matches that of another webpagepreviously determined to be fraudulent, the received content may beidentified as including a fraud indicator. A fraud indicator may includeany of the inconsistencies (e.g., in spelling) discussed above or anysimilarity with webpages previously determined to be fraudulent. If thecommunication protection circuit 146 identifies any fraud indicators,the method 200 may advance to 216 and proceed as if the third party 130were identified as fraudulent at 214.

In some embodiments, if there are no fraud indicators in the receivedcontent, an alert is transmitted to the user computing device 112 at222. In some embodiments, the communication protection circuit 152generates the alert using content stored in the content database 152 andcauses the alert to be transmitted to the user computing device 112 overthe network 160 via the network circuit 160. The alert may be viewableby the user via the client application 116 on the user computing device112. The alert may indicate to the user that the third party 130 is nota trusted entity and is requesting sensitive information from the user110. The alert may request an input from the user to indicate a userpreference to still enter sensitive information despite the third party130 not being a trusted entity. In some embodiments, the alert may betransmitted to a computing device associated with a caretaker or otherindividual having a relationship to the user 110 (e.g., a spouse, anindividual pre-identified by the user 110, or the like) rather than theuser computing device 112. In such embodiments, the alert may alsoinclude a URL to the received content, enabling the caretaker to viewthe received content and assess its validity. As such, the caretaker orother individual may control the user's ability to input sensitiveinformation to untrusted third parties 130. Additionally, another alertmay be transmitted to the user computing device 112 indicating to theuser 110 that permission from the caretaker is being sought.

It should be noted that, in some embodiments, the financial institutioncomputing system 142 skips steps 222-232 when no fraud indicators arefound on the received content. In such embodiments, if the third party130 is found not to be a trusted entity at 210, the method 200 simplyadvances to step 216 and performs the method 400 described below.

A user input indicating a user preference to enter the sensitiveinformation is received at step 224. In some embodiments, thecommunication protection circuit 146 receives the user input via thenetwork interface 144. For example, the user 110 or other individualassociated therewith may interact with the alert to provide such aninput, causing a signal to be transmitted to the financial institutioncomputing system 142 over the network 160.

In response to such an input, the requested content is directed to theuser computing device 112 at 226. In some embodiments, the communicationprotection circuit 148 directs the content received from the third party130 at 206 to the user computing device 112. In response, the user 110may input the requested information and interact with the receivedcontent (e.g., by pushing a “submit” button or the like) to indicate apreference to transmit the input information to the third party 130. Inresponse, the protection client 118 may redirect the user-inputinformation to the financial institution computing system 142.Accordingly, user-input sensitive information is received at 228.

The user-input sensitive information is used to verify the user 110 at230. In some embodiments, the communication protection circuit 146 crossreferences the user-input sensitive information with information storedin the account database 148. If the user-input information matches thatstored in the account database 148, the user 110 may be verified, andthe user-input information may be transmitted to the network destinationat 232. As such, the user 110 is able to complete the desiredtransaction.

Referring now to FIG. 3 , a method 300 of facilitating the user 110providing sensitive user information to a trusted entity is shown,according to an example embodiment. In various embodiments, the method300 is an extension of the method 200 discussed above in relation toFIG. 2 (e.g., at step 212). For example, as discussed above, the method300 may be performed responsive to the communication protection circuit146 identifying that the network destination (e.g., the URL or the like)from which the user 110 is requesting content is associated with atrusted entity. For example, if the user 110 is requesting a specificwebpage that has been predesignated by the financial institution 140 asbeing legitimate (e.g., in the network destination database 150), themethod 300 may be initiated. As will be described below, the method 300enables the communication protection circuit 146 to provide thesensitive user information to trusted entities on behalf of the user110. As such, prior to performing such an action, it is desirable toverify that the user 110 is actually requesting the content from thethird party 130 via the user computing device 112 rather than someoneelse.

The user is presented with a verification interface at 302. In somearrangements, the communication protection circuit 146, upon determiningthat the requested content requests the user 110 to input sensitiveinformation, retrieves a verification interface from the contentdatabase 152 and transmits the interface (e.g., as a webpage viewablevia the client application 116) to the user computing device 112. Theverification interface prompts the user to input information that can beused to verify the user 110. For example, in some embodiments, theverification interface may prompt the user 110 to input online bankingcredentials associated with a banking website provided by the financialinstitution computing system 142. In some arrangements, the verificationinterface may request the user 110 to answer a security question or thelike. In some arrangements, the verification interface may request theuser 110 to input a portion of the sensitive information requested bythe requested content. In some arrangements, the verification interfacerequests the user 110 to indicate a preference whether the user 110would like to provide the requested information to the third party 130.

In some arrangements, the verification interface may be viewablesimultaneously with the requested content. For example, upon determiningthat the network destination is associated with a trusted entity (e.g.,at the step 210 discussed above in relation to the method 200), thefinancial institution computing system 142 may direct the requestedcontent as well as the verification interface to the user computingdevice 112 such that both are viewable to the user via the clientapplication 116. For example, the verification interface may be includedon one portion of the display of the user computing device 112, whilethe requested content may be included on another, separate portion ofthe display. This way, the user 110 can view the requested content,determine if they would like to input the requested information, and doso by inputting the requested information into the verificationinterface.

The user's verification response is received at 304. For example, theuser 110 may input the information requested by the verificationinterface and indicate a preference to provide to the third party 130the requested information by submitting the requested information to thefinancial institution computing system 142.

Upon receipt of the user 110's verification response, the communicationprotection circuit verifies the user 110 at 306. For example, if theuser inputs a set of online banking credentials into the verificationinterface, the communication protection circuit 146 may compare theuser-input credentials to credentials stored in the user accountdatabase 148 to verify the user 110. In another example, the user inputsa set of sensitive user information (e.g., a name, address, spousesname, and the like), the communication protection circuit 146 retrievessuch information from the account database 148 and compares the storedinformation to the user-input information to verify the user. If theuser is not verified (i.e., if the user-input information does not matchthe information stored at the financial institution computing system142), then the user is denied access to the requested content at 308. Assuch, the requested sensitive information will not be transmitted to thethird party computing system 132. This way, unauthorized individuals whomanage to access the user computing device 112 are unable to providesensitive information to various third parties 130.

If the user 110 is verified, however, the sensitive information beingrequested by the requested content is retrieved from the accountdatabase 148 at 310. As discussed above, the communication protectioncircuit 146 may identify the sensitive information being requested fromthe user 110. In various situations, all of the information requestedfrom the user 110 is maintained at the account database 148. Thus, suchinformation can be conveniently retrieved and used to auto-populate thevarious fields contained in the content received from the third partycomputing system 132. In some situations, certain information requestedfrom the user 110 may not be stored in the account database 148. In sucha case, the communication protection circuit 146 may transmit aninformation request to the user computing device 112 requesting themissing information from the user, and use any user response to populatethe associated field.

The requested information is transmitted to the network destination at312. Once all of the information that is requested from the user 110 isretrieved and the content received from the third party computing system132 is populated, the communication protection circuit 146 transmits therequested information back to the third party computing system 132 overthe network. Thus, the user 110 is able to efficiently provide sensitiveinformation to trusted entities. Data-entry errors are avoided becausethe financial institution 140 is able to effectively act as the user110's intermediary in such transactions. Additionally, since the user110 must be verified prior to the sensitive information beingtransmitted, the user's security is further ensured.

Referring now to FIG. 4 , a flow diagram of a method 400 of preventingthe user 110 from providing sensitive user information to an untrustedentity is shown, according to an example embodiment. In variousembodiments, the method 400 is an extension of the method 200 discussedabove in relation to FIG. 2 (e.g., at step 216). For example, asdiscussed above, the method 400 may be performed responsive to thecommunication protection circuit 146 identifying that the networkdestination (e.g., the URL or the like) from which the user 110 isrequesting content is associated with a fraudulent entity. For example,if the user 110 is requesting a specific webpage that has beenpredesignated by the financial institution 140 as being fraudulent(e.g., in the network destination database 150), the method 400 may beinitiated.

Substitution content is retrieved from the content database 152 at 402.In various embodiments, if any of the security checks performed on thenetwork destination from which the user 110 requesting content indicatethat the third party computing system 132 is associated with afraudulent entity (e.g., if a URL selected by the user is stored in in aURL blacklist maintained at the network destination database 150), therequested content is not delivered to the user computing device 112.Instead, the communication protection circuit 146 retrieves contentstored at the content database 152 to be delivered to the user 110.

In various embodiments, the content retrieved by the communicationprotection circuit 146 is based at least in part on the content receivedby the financial institution computing system 142 from the third partycomputing system 132. For example, the communication protection circuit146, by any of the methods discussed above, may identify the types ofsensitive information that the received content requests from the user.The content retrieved from the content database 152 may be based atleast in part on the identified information types being requested. Forexample, if the communication protection circuit 146 identifies that thethird party 130 is requesting the user to input a name, address, phonenumber, social security number, and bank account number, apre-constructed webpage also requesting such information may beretrieved from the content database 152.

In some, arrangements, the content retrieved from the content database152 may be modified to mimic the content received from the third partycomputing system 132 at 404. For example, the content retrieved at 402may contain various fields or portions that may be populated withimages, messages, and the like that are similar to those included on thecontent received from the third party computing system 132. Thus, thecommunication protection circuit 146 may determine that the contentreceived from the third party computing system 132 contains a particularlogo and retrieve that logo from the content database 152 forincorporation into the webpage retrieved at 402. Additionally, textualmessages contained in the content received from the third partycomputing system 132 (e.g., a message describing why sensitiveinformation is being requested) may be copied and inserted into theretrieved webpage.

The modified substitute content is transmitted to the user computingdevice 112 at 406. The substitute content may be viewable as a webpagevia the client application 116. As such, the user 110 is presented witha webpage that looks similar to the content that was requested from thethird party computing system 132 and also requests sensitive informationfrom the user 110. Thus, the user 110 may enter the requestedinformation and provide an input to the user computing device 112 tosubmit the requested information to the third party computing system132.

The user-input sensitive information is received at 408. In somearrangements, responsive to receiving user-input sensitive information,the communication protection circuit 146 may verify the user 110 byperforming similar steps as those discussed above in relation to steps304-306 of the method 300. This way, even though the sensitiveinformation is not going to be transmitted to the third party computingsystem 222, the communication protection circuit 146 may still determineif unauthorized individuals are attempting to misuse sensitiveinformation. In some arrangements, if the user 110 is not verified, analert may be transmitted to the user computing device 112 or to acomputing device associated with a guardian of the user 110 or the like.

Dummy data is generated at 410. In various embodiments, upon receipt ofthe sensitive information input by the user 110 into the substitutecontent, the communication protection circuit 146 scrambles, encrypts,or otherwise replaces the received user-input information. In someembodiments, the user-input information is replaced with strings ofrandom characters. In any arrangement, the user-input information isrendered undecipherable. Such data is used to populate the variousfields included in the content received from the third party computingsystem 132.

The dummy data is transmitted to the third party computing system 132 at412. For example, upon populating the various fields included in thecontent received from the third party computing system 132 with thedummy data, the dummy data is transmitted to the network destinationfrom which the user 110 initially requested content. As such, sensitiveinformation is not provided to untrusted entities. Furthermore, uponreceipt of such dummy data, the third party computing system 132 maybecome aware of the fact that fake data has been received from thefinancial institution computing system 142. To prevent such instancesfrom continuing to happen, the third party 130 may take various steps toprove its authenticity to the financial institution 140. For example,the third party 130 may obtain a digital certificate from a trustedcertificate authority, and/or transmit verifiable additional informationto the financial institution 140 to prove its identity. In somearrangements, upon the third party 130 taking such steps, the networkdestination may be classified as legitimate in the network destinationdatabase 150.

An alert is transmitted to the user computing device 112 at 414. Invarious embodiments, the alert may be retrieved from the contentdatabase 152 and transmitted to the user computing device 112 over thenetwork 160. The alert may notify the user 110 that sensitiveinformation was almost provided to an untrusted entity. In somearrangements, a plurality of different types of alerts are stored in thecontent database 152. Each alert may be associated with a different typeof scheme designed to extract sensitive information from the user 110.For example, each blacklisted entity, IP address, or URL in the networkdestination database 150 may also be stored in association with the typea scheme through which the blacklisted item attempts to extractsensitive user information. If a particular URL is associated with aphishing scheme, it may be stored as such in the network destinationdatabase 150. Thus, the communication protection circuit 146 mayretrieve an alert associated with the scheme type identified to beapplicable to the third party computing system 132. The alert mayinclude a set of tips for identifying similar schemes, and the like.

In some arrangements, in addition to be transmitted to the usercomputing device 112, the alert may also be transmitted to anothercomputing devices associated with another individual. For example, theuser 110 may have a guardian or the like that was identified when theuser 110 registered for an account at the financial institution 140, orwhen the user installed the protection client 118 on the user computingdevice 112. For example, the user 110 may notify the guardian of theprogram discussed herein, and direct the guardian to install theprotection client 118 on a computing device. Upon the guardian doing so,the computing device may be registered at the financial institutioncomputing system 142 and associated with the user 110 such that,whenever the user receives an alert via any of the methods disclosedherein, the guardian also receives such an alert. Thus, if necessary,the user 110 can received additional assistance in avoiding providingsensitive information to untrusted entities.

The embodiments described herein have been described with reference todrawings. The drawings illustrate certain details of specificembodiments that implement the systems, methods and programs describedherein. However, describing the embodiments with drawings should not beconstrued as imposing on the disclosure any limitations that may bepresent in the drawings.

It should be understood that no claim element herein is to be construedunder the provisions of 35 U. S. C. § 112(f), unless the element isexpressly recited using the phrase “means for.”

As used herein, the term “circuit” may include hardware structured toexecute the functions described herein. In some embodiments, eachrespective “circuit” may include machine-readable media for configuringthe hardware to execute the functions described herein. The circuit maybe embodied as one or more circuitry components including, but notlimited to, processing circuitry, network interfaces, peripheraldevices, input devices, output devices, sensors, etc. In someembodiments, a circuit may take the form of one or more analog circuits,electronic circuits (e.g., integrated circuits (IC), discrete circuits,system on a chip (SOCs) circuits, etc.), telecommunication circuits,hybrid circuits, and any other type of “circuit.” In this regard, the“circuit” may include any type of component for accomplishing orfacilitating achievement of the operations described herein. Forexample, a circuit as described herein may include one or moretransistors, logic gates (e.g., NAND, AND, NOR, OR, XOR, NOT, XNOR,etc.), resistors, multiplexers, registers, capacitors, inductors,diodes, wiring, and so on).

The “circuit” may also include one or more processors communicablycoupled to one or more memory or memory devices. In this regard, the oneor more processors may execute instructions stored in the memory or mayexecute instructions otherwise accessible to the one or more processors.In some embodiments, the one or more processors may be embodied invarious ways. The one or more processors may be constructed in a mannersufficient to perform at least the operations described herein. In someembodiments, the one or more processors may be shared by multiplecircuits (e.g., circuit A and circuit B may comprise or otherwise sharethe same processor which, in some example embodiments, may executeinstructions stored, or otherwise accessed, via different areas ofmemory). Alternatively or additionally, the one or more processors maybe structured to perform or otherwise execute certain operationsindependent of one or more co-processors. In other example embodiments,two or more processors may be coupled via a bus to enable independent,parallel, pipelined, or multi-threaded instruction execution. Eachprocessor may be implemented as one or more general-purpose processors,application specific integrated circuits (ASICs), field programmablegate arrays (FPGAs), digital signal processors (DSPs), or other suitableelectronic data processing components structured to execute instructionsprovided by memory. The one or more processors may take the form of asingle core processor, multi-core processor (e.g., a dual coreprocessor, triple core processor, quad core processor, etc.),microprocessor, etc. In some embodiments, the one or more processors maybe external to the apparatus, for example the one or more processors maybe a remote processor (e.g., a cloud based processor). Alternatively oradditionally, the one or more processors may be internal and/or local tothe apparatus. In this regard, a given circuit or components thereof maybe disposed locally (e.g., as part of a local server, a local computingsystem, etc.) or remotely (e.g., as part of a remote server such as acloud based server). To that end, a “circuit” as described herein mayinclude components that are distributed across one or more locations.

An exemplary system for implementing the overall system or portions ofthe embodiments might include a general purpose computing computers inthe form of computers, including a processing unit, a system memory, anda system bus that couples various system components including the systemmemory to the processing unit. Each memory device may includenon-transient volatile storage media, non-volatile storage media,non-transitory storage media (e.g., one or more volatile and/ornon-volatile memories), etc. In some embodiments, the non-volatile mediamay take the form of ROM, flash memory (e.g., flash memory such as NAND,3D NAND, NOR, 3D NOR, etc.), EEPROM, MRAM, magnetic storage, hard discs,optical discs, etc. In other embodiments, the volatile storage media maytake the form of RAM, TRAM, ZRAM, etc. Combinations of the above arealso included within the scope of machine-readable media. In thisregard, machine-executable instructions comprise, for example,instructions and data which cause a general purpose computer, specialpurpose computer, or special purpose processing machines to perform acertain function or group of functions. Each respective memory devicemay be operable to maintain or otherwise store information relating tothe operations performed by one or more associated circuits, includingprocessor instructions and related data (e.g., database components,object code components, script components, etc.), in accordance with theexample embodiments described herein.

It should also be noted that the term “input devices,” as describedherein, may include any type of input device including, but not limitedto, a keyboard, a keypad, a mouse, joystick or other input devicesperforming a similar function. Comparatively, the term “output device,”as described herein, may include any type of output device including,but not limited to, a computer monitor, printer, facsimile machine, orother output devices performing a similar function.

Any foregoing references to currency or funds are intended to includefiat currencies, non-fiat currencies (e.g., precious metals), andmath-based currencies (often referred to as cryptocurrencies). Examplesof math-based currencies include Bitcoin, Litecoin, Dogecoin, and thelike.

It should be noted that although the diagrams herein may show a specificorder and composition of method steps, it is understood that the orderof these steps may differ from what is depicted. For example, two ormore steps may be performed concurrently or with partial concurrence.Also, some method steps that are performed as discrete steps may becombined, steps being performed as a combined step may be separated intodiscrete steps, the sequence of certain processes may be reversed orotherwise varied, and the nature or number of discrete processes may bealtered or varied. The order or sequence of any element or apparatus maybe varied or substituted according to alternative embodiments.Accordingly, all such modifications are intended to be included withinthe scope of the present disclosure as defined in the appended claims.Such variations will depend on the machine-readable media and hardwaresystems chosen and on designer choice. It is understood that all suchvariations are within the scope of the disclosure. Likewise, softwareand web implementations of the present disclosure could be accomplishedwith standard programming techniques with rule based logic and otherlogic to accomplish the various database searching steps, correlationsteps, comparison steps and decision steps.

The foregoing description of embodiments has been presented for purposesof illustration and description. It is not intended to be exhaustive orto limit the disclosure to the precise form disclosed, and modificationsand variations are possible in light of the above teachings or may beacquired from this disclosure. The embodiments were chosen and describedin order to explain the principals of the disclosure and its practicalapplication to enable one skilled in the art to utilize the variousembodiments and with various modifications as are suited to theparticular use contemplated. Other substitutions, modifications, changesand omissions may be made in the design, operating conditions andarrangement of the embodiments without departing from the scope of thepresent disclosure as expressed in the appended claims.

What is claimed is:
 1. A computing system associated with a firstentity, the computing system comprising: a network interface structuredto communicate data over a network and receive a content request from anetwork destination not associated with the first entity, the contentrequest requesting information from a user; and a processing circuitcomprising a memory and a processor, the memory structured to storeinstructions that are executable by the processor to cause the processorto: determine if the content request transmitted by the networkdestination requests sensitive information from the user, whereindetermining if the content request requests sensitive informationcomprises: transmitting a second content request to the networkdestination; receiving content from the network destination responsiveto the second content request; and determining that the received contentincludes at least one descriptor of sensitive information; retrieve asubstitute webpage from a content database that includes the at leastone descriptor of sensitive information; identify an additionalattribute of the received content, the identified additional attributeincluding at least one of an image contained in the received content ora message contained in the received content; and modify the retrievedsubstitute webpage to include the identified additional attribute. 2.The computing system of claim 1, wherein the retrieved substitutewebpage is transmitted to the user.
 3. The computing system of claim 1,wherein the processing circuit is further configured to determine avalidity of the network destination by cross-checking the networkdestination with network information stored in a network database,wherein the network information indicates whether the networkdestination is associated with a trusted entity or is a fraudulentnetwork destination.
 4. The computing system of claim 1, wherein theprocessing circuit is further configured to verify user input inputtedby the user by comparing the user input with information stored in auser account database structured to store information associated withthe user.
 5. The computing system of claim 1, wherein the processingcircuit is further configured to determine if the content requesttransmitted by the network destination requests sensitive informationfrom the user by analyzing at least one field into which the user mayinput information.
 6. The computing system of claim 1, wherein theprocessing circuit is further configured to determine that the networkdestination is associated with a fraudulent network destination.
 7. Thecomputing system of claim 6, wherein the processing circuit isconfigured to determine if the content request transmitted by thenetwork destination requests sensitive information from the user if thenetwork destination is determined to be associated with the fraudulentnetwork destination.
 8. The computing system of claim 1, wherein thesubstitute webpage comprises a request for sensitive information.
 9. Thecomputing system of claim 8, wherein the processing circuit is furtherstructured to: determine that the network destination is a fraudulentnetwork destination; and receive the user input responsive totransmitting the substitute webpage to the computing device of the user,the user input including sensitive information responsive to the requestfor sensitive information in the substitute webpage.
 10. The computingsystem of claim 9, wherein the processing circuit is further configuredto generate dummy data responsive to receiving the user input, andtransmit the dummy data to the network destination.
 11. The computingsystem of claim 10, wherein the processing circuit generates the dummydata by replacing the sensitive information of the user input with arandomized string of characters.
 12. The computing system of claim 1,wherein the image is a logo associated with the network destination. 13.The computing system of claim 1, wherein the first entity is a financialinstitution.
 14. A method, comprising: receiving, by a computing systemof a first entity, a content request from a network destination notassociated with the first entity, the content request requestinginformation from a user; determining, by the computing system, if thecontent request transmitted by the network destination requestssensitive information from the user, wherein determining if the contentrequest requests sensitive information comprises: transmitting a secondcontent request to the network destination; receiving content from thenetwork destination responsive to the second content request; anddetermining that the received content includes at least one descriptorof sensitive information; identifying, by the computing system, anadditional attribute of the received content, the identified additionalattribute including at least one of an image contained in the receivedcontent or a message contained in the received content; transmitting tothe user, by the computing system, a substitute webpage that includesthe at least one descriptor of sensitive information and the identifiedadditional attribute.
 15. The method of claim 14, further comprisingstoring, by the computing system, in a network database, networkinformation pertaining to the network destination, wherein the networkinformation indicates whether the network destination is associated witha trusted entity or is a fraudulent network destination.
 16. The methodof claim 14, further comprising determining, by the computing system, avalidity of the network destination by cross-checking the networkdestination with network information stored in a network database, thenetwork information indicating whether the network destination isassociated with a trusted entity or is a fraudulent network destination.17. The method of claim 14, further comprising storing, by the computingsystem, in a user account database, information associated with theuser.
 18. The method of claim 14, further comprising verifying, by thecomputing system, user input inputted by the user by comparing the userinput with information stored in a user account database.
 19. The methodof claim 14, wherein determining if the content request transmitted bythe network destination requests sensitive information from the usercomprises analyzing at least one field into which the user may inputinformation.
 20. The method of claim 14, wherein the first entity is afinancial institution.